Corporate Information Governance Information and Network ... · Corporate – Information...

Corporate – Information Governance

Information and Network Security and Monitoring Access: Standard

Operating Procedure

Document Control Summary

Status: Replacement. Replaces: Information Security Policy (R/GRE/ig/04 v2.0)

Network Security Policy (R/GRE/ig/14 v2.0)

Monitoring Access to Confidential Information Policy

(R/GRE/ig/18v2.0)

Version: v1.1 Date: 29th July 2015

Author/Owner/Title: Laura Marklew - Information Governance Lead

Approved by: Policy and Procedures Committee Date: 13th August 2015

Ratified: Policy and Procedures Committee Date: 13th August 2015

Related Trust Strategy and/or Strategic Aims

IM&T Strategy; Digital Strategy

Implementation Date: 1st September 2015

Review Date: September 2018

Key Words: Incident, Reporting.

Associated Policy or Standard Operating Procedures

Information Governance Policy Acceptable Use of IT Equipment SOP Acceptable Use of Information and IT Systems SOP Smartcard Registration and Use SOP

Contents

1. Introduction............................................................................................................... 2

2. Purpose ..................................................................................................................... 2

3. Scope......................................................................................................................... 3

4. Information Security ................................................................................................. 3

5. Network Security ...................................................................................................... 5

6. Security Responsibilities ....................................................................................... 11

7. Process For Monitoring Compliance And Effectiveness ..................................... 13

8. References .............................................................................................................. 14

Information and Network Security and Monitoring Access SOP/August 2015

Page 2 of 14

Change Control – Amendment History

Version Dates Amendments

v1.0 21.07.15 Creation of SOP

v1.1 29.07.15 Minor amendments to wording

1. Introduction

1.1 This SOP replaces the Information Security Policy, Network Security Policy and Monitoring

Access to Confidential Information Policy and should be read in conjunction with the

Information Governance Policy. This SOP and other associated policies and procedures are

written in alignment with and comply with the following standards:

BS ISO/IEC 27001:2013: Information Technology - Security Techniques –

Information Security Management Systems – Requirements

BS ISO/IEC 17799:2005: Information Technology – Security Techniques – Code of

Practice for Information Security Management

2. Purpose

2.1 This SOP will provide the mechanism through which compliance is achieved with UK and

EU legislation. It is essential that the Trust’s information, information systems and data

networks are adequately protected from events which may compromise the provision of

IM&T services. This SOP will provide a measure against which information security events

are assesses and subsequently managed.

2.2 With advances in the electronic management of both health and employment information

within the NHS, the requirement to monitor access to such confidential information has

become increasingly important. With the large number of staff using these systems, it is

imperative that access is strictly monitored and controlled. Furthermore, with the increased

use of electronic communications, the movement of confidential information via these

methods poses the threat of information falling into the hands of individuals who do not

have a legitimate right of access to it.

2.3 These procedures provide an assurance mechanism by which the effectiveness of controls

implemented within the Trust are audited, areas for improvement and concern highlighted

and recommendations for improved control and management of confidentiality within the

Trust made.


Page 3 of 14

3. Scope

3.1 The scope of this SOP will include all information, information systems and data networks

under the ownership of, or directly serviced by, South Staffordshire and Shropshire

Healthcare NHS Foundation Trust. This SOP applies to all members of the Information

Governance, IM&T team and S&SHIS and any other Trust employees and agents of

external organisations who directly or indirectly responsible for the set up and configuration

of information systems and data networks owned or serviced by the Trust.

3.2 Where the networks are shared with other organisations it is the responsibility of each

organization to protect the shared asset as failure of any party will impact on the other

partners.

4. Information Security

4.1 Physical Access Controls

Access to IM&T facilities will be controlled and restricted to authorised users only.

4.2 User Access Controls

Access t o i n f o r m a t i o n c o n t a i n e d w i t h i n o r accessed from local IM&T

systems will be controlled and restricted to authorised users only. Application

Access Control – A c c e s s t o s y s t e m m a n a g e m e n t t o o l s , program

source libraries and utilities will be controlled and restricted to

authorised users only.

4.3 Equipment Security

All IM&T assets will be protected from physical security threats and environmental

hazards.

4.4 System and Network Security

The Trust’s systems and network will be configured in accordance with Connecting for Health’s Good Practice Guidelines, as outlined in the Trust’s Network Security Policy.

4.5 Security Incident Management

All information security incidents will be reported through the Information Security

Incident Reporting Process shown in point 7 below.

4.6 Protection from Malicious Code

Controls will be implemented to detect and prevent infection from contaminated media and communications, in accordance with the Good Practice Guideline Securing against Viruses, Malware and Email Hoaxes version 1.0.

4.7 Monitoring System Access and Use Internet and E-mail usage will be monitored in accordance with the Data Protection Act 1998.

4.8 Housekeeping

All IM&T assets will be maintained in accordance with the manufacturer’s

recommendations, BSISO/IEC27001:2013 standards and Connecting for Health’s Good


Page 4 of 14

Practice Guidelines.

4.9 External Parties

Risks t o t h e T r u s t ’ s i n f o r m a t i o n and information processing facilities will be

Identified and managed prior to granting third-party access. All contracts will contain

an appropriate confidentiality clause and meet the requ i rements of t he NHS

Ca r e

Record Guarantee.

4.11 Business Continuity A managed process will be developed to counteract the business interruptions caused by major IM&T service failure, in accordance with the Good Practice Guideline: Business Cont inuity Planning and Disaster Recovery. 4.12 Authorisation

On request, staff will be provided with a personal username/password or ‘smartcard’. These must be used to gain access to any Trust computer. Usernames/passwords and Smart cards will only be issued when authorised by an appropriate authorised signatory, and when identity checks have been completed satisfactorily. Before a password/smartcard is issued, staff must complete the appropriate authorisation/registration forms, read, understand and abide by all information governance policies and complete all necessary training including clinical system training if appropriate and information governance mandatory training.

4.13 Data Encryption Department of Health guidance must be followed concerning encryption.

4.13.1 Throughout the NHS, technologies are available to organisations which may

satisfy some requirements for the encryption of sensitive data. It should be noted though, that encryption products do have some inherent risks and these should be fully understood before implementing any solution.

4.13.2 Where data is to be transferred across the internet or by removable media

encryption confirming to a minimum of AES256 must be used. The pass phrase for the archive must be of an appropriate length and complexity. To ensure the safety of data in transit the pass phrase should be communicated to the recipient separately from the encrypted data so that the intended recipient is the only one able to decrypt the data.

4.13.3 All portable devices containing patient identifiable information or information of a

confidential nature must be encrypted as mandated by the Department of Health.

4.14 Monitoring of IT Facilities Within the provision of UK law, including the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000, the Trust has the right to log and monitor all usage of its networks and computer systems.

4.14.1 The Trust’s networks and computer systems may be monitored and logged

for all lawful purposes including: • Compliance with Trust policies, procedures and regulations

• Ensuring use is authorised

• Management of systems


Page 5 of 14

• Protecting against unauthorised access

• Verifying security procedures

• System and operational security

• Detection and prevention of crime, fraud or illegal activities

4.14.2 Unauthorised monitoring is not permitted. Attempts by any member of staff to

implement unauthorised monitoring will be in breach of this policy and may result in disciplinary action. The following is a list of those members of staff, in addition to the Chief Executive, who may authorise monitoring:

Director of Finance and Performance

Director of HR

Head of IM&T Development

Deputy Head of IM&T

Associate Director of S&SHIS

S&SHIS Lead Information Governance

4.15 Some examples of monitoring activity

are: • Examining website logs to ensure that staff are not visiting inappropriate sites

• Checking or using software to check if staff are sending or receiving inappropriate e-mails

• Checking telephone logs to detect misuse of telecommunications

• Examining the contents of computer hard disks to check for any inappropriate material

4.16 Routine monitoring does not include examining the contents of files and

communications. Those with elevated access privileges, such as IT system and network administrators, are not entitled, simply by virtue of having those privileges, to examine the contents of user files and communications on the systems they have access to.

5. Network Security

5.1 Physical & Environmental Security 5.1.1 Network computer equipment will be located in a controlled and secure

environment, with appropriate access controls, and be subject to regular review.

5.1.2 Critical or sensitive network equipment will be located in an environment

that is monitored for temperature and continuity of power supply.

5.1.3 Uninterrupted power supplies, intruder alarms and fire suppression

systems will protect critical or sensitive network equipment.


Page 6 of 14

5.1.4 The S&SHIS Head of Technology will maintain and periodically review a

list of those with unsupervised access. 5.1.5 All visitors to secure network areas will be logged in and out. The log will

contain name, organisation, purpose of visit, date, and time in and out. 5.1.6 Smoking, eating and drinking is forbidden in areas housing critical or

sensitive network equipment. 5.1.7 The S&SHIS Head of Technology will ensure that all relevant staff are

made aware of procedures for visitors and that visitors are escorted, when necessary.

5.1.8 Strict Health and Safety rules to the Trust standards will be maintained in

all areas containing network equipment. 5.2 Access Control to the Network

5.2.1 Access to the network will be via a secure log-on procedure, designed to

minimise the opportunity for unauthorised access. Remote access to the network will comply with the Good Practice Guideline on Remote Access.

5.2.2 A documented registration and de-registration procedure for network user

access will be implemented and reviewed regularly. 5.2.3 Network privileges will be defined by relevant Trust and S&SHIS

Management, in conjunction with the S&SHIS Head of Technology, and will be appropriate to the requirements of the user's role.

5.2.4 All users will authenticate to the network using their own individual profile

and password. 5.2.5 There will be instances where a general login will be required, e.g. where

auditors need ad-hoc and limited access to services. This will only be granted with explicit authorisation from the Caldicott Guardian, or in their absence the Trusts Information Governance Lead.

5.2.6 All users will protect their network account and password details from

unauthorised access. 5.2.7 The Trust will provide the HIS with details of all new starters and leavers

which require a network account to be created or deleted.

5.2.8 Network accounts will be disabled and user access rights terminated for

users who have departed from the Trust, or changed roles such that access is no longer appropriate.

5.2.9 The HIS will delete all accounts which have been in a disabled status for

three months, unless instructed otherwise by the Trust.

5.2.10 Trust owned computers can be connected to the network. Trust staff are

allowed to use personal devices in line with the Trust policy.


Page 7 of 14

5.2.11 Trust staff will comply with restrictions on the use of network facilities and access to network delivered applications as laid down in the Trust Acceptable Use Policy.

5.3 Third Party Access Control to the Network

5.3.1 Third party organisations may request access to the network, e.g.

contractors. These requests will be made through a formal Access via the centralized Network Account Process.

5.3.2 The security standards for remote access are defined within S&SHIS IG

and Security Policies. 5.3.3 The S&SHIS Lead Information Governance, in consultation with the

S&SHIS Head of Technology will conduct an appropriate risk assessment, before authorising third party access to the Trust’s network.

5.3.4 All network access requests will be recorded and securely retained by the

S&SHIS Service Desk. 5.3.5 All third-party organisations will comply with the requirements of the Care

Record Guarantee and any additional requirements of the Trust. A formal contract will be signed by the third-party and the Trust, containing statements concerning: information security, data protection and confidentiality which will bind the contractor to the same rules of governance as Trust and HIS users of the network.

5.3.6 Where the Trust has decided to allow service user or public access to IT

services through Trust owned IT equipment, e.g. for therapeutic purposes, these facilities will not be connected to or delivered by the network. If these facilities include internet access, the connection will be direct to a commercial internet provider.

5.4 External Network Connections 5.4.1 All organisations connecting to the Trust’s network will have approved

and implemented System Security Policies. 5.4.2 All connections to external networks and systems will conform to

Connecting for Health’s Statement of Compliance, NHS Care Record Guarantee and relevant supporting documentation.

5.4.3 The S&SHIS Lead Information Governance, in consultation with the

S&SHIS Head of Technology will approve all connections to external networks and systems before operation is commenced.

5.5 Maintenance Contracts

5.5.1 Appropriate maintenance contracts will be financed by the Trust, and a

replacement programme developed. 5.5.2 The S&SHIS Head of Technology will ensure that maintenance contracts

are periodically reviewed for all network equipment.


Page 8 of 14

5.6 Data and Software Exchange

5.6.1 Formal agreements for the exchange of data and software between

organisations will be established and approved by the Information Governance Assurance Group. New agreements will be added to the register of data flows.

5.7 Fault Logging 5.7.1 The S&SHIS Head of Technology will maintain a log of all major network faults,

and ensure that the relevant details are logged within the S&SHIS Service Management Tool (SMT).. A written procedure to report faults and review countermeasures will be developed.

5.8 Security Operating Procedures 5.8.1 Security Operating Procedures will be developed to enable South Staffordshire

and Shropshire Healthcare NHS Foundation Trust to comply with Connecting for Health’s Statement of Compliance and the NHS Care Record Guarantee.

5.8.2 Changes to operating procedures will be authorised by the S&SHIS Lead

Information Governance, in consultation with the S&SHIS Head of Technology. 5.9 Network Operating Procedures

5.9.1 Documented operating procedures will be prepared for the network, to ensure

correct and secure operation. 5.9.2 Changes to operating procedures will be authorised by the S&SHIS Lead

Information Governance.

5.10 Data Backup and Restoration

5.10.1 The S&SHIS Head of Technology is responsible for ensuring that backup copies of network configuration and application data are taken regularly.

5.10.2 Documented procedures for the backup process and storage of backup tapes will

be produced and communicated to all relevant staff. 5.10.3 All backup tapes will be stored securely and a copy will be stored off-site. 5.10.4 Documented procedures for the safe and secure disposal of backup media will

be produced and communicated to all relevant staff. 5.10.5 Users are responsible for ensuring the security of locally stored data as defined

in the Acceptable Use of Information and IT Systems SOP. 5.11 Malicious Software/Virus Protection 5.11.1 The HIS will identify gaps in protection against malicious software, virus attacks,

Spam and Phishing attacks and will recommend how these attacks can be


Page 9 of 14

managed. The Trust will be responsible for ensuring that appropriate measures are put in place.

5.11.2 To protect the Trust from computer viruses, no document or file from any source

outside the Trust should be used unless it has been scanned for known viruses. This requirement covers files in any format, including CD-ROM and email attachments.

5.11.3 Virus-scanning facilities are made available on every PC that is connected to the

Trust network and undertake the regular updating of such virus-scanning software.

5.11.4 Should you receive a virus warning message or similar from a friend or

colleague via email, do not forward it on to others, instead send it to the IT Service Desk to determine the authenticity of the warning.

5.11.5 You must take all necessary precautions to prevent the transmission of

computer viruses. You are responsible for ensuring that virus scanning software is regularly updated for any computer you own or use for work purposes.

5.12 Secure Disposal or Re-use of Equipment 5.12.1 The Trust will ensure that obsolete and redundant IT equipment is disposed in a

secure and environmentally acceptable way. This will include making all stored information completely inaccessible following disposal. The process will follow the HIS policy on the Disposal of Redundant IT Equipment.

5.13 Accreditation of Network Systems

5.13.1 Network solutions will be approved by the Trust’s Information Governance Lead

prior to the commencement of operation. The S&SHIS Lead Information Governance will play a supporting role to the Trust’s Information Governance Lead.

5.13.2 The S&SHIS Lead Information Governance will be responsible for ensuring

that the network does not pose an unacceptable security risk to the organisation.

5.14 Security Audits 5.14.1 Internal audit will undertake periodic reviews, to measure levels of compliance

with the Trust’s Network Security SOP. Where appropriate, subsequent recommendations will be implemented by Staffordshire and Shropshire Health Informatics Services, and funded by the Trust.

5.15 System Change Control

5.15.1 The S&SHIS Head of Technology will review major configuration changes to the

security of the network. All such changes will be reviewed and approved by the S&SHIS Lead Information Governance.

5.15.2 The S&SHIS Lead Information Governance, in consultation with the S&SHIS

Head of Technology will be responsible for updating the Network Security Policy, design documentation, security operating procedures and network operating procedures. All updates will be reviewed and approved by the Trust’s Information Governance Assurance Group.


Page 10 of 14

5.15.3 The Trust’s Information Governance Lead, in conjunction with the HIS Head of

Information Security will assess new hardware and software deployments to ensure compliance with NHS security standards.

5.15.4 The S&SHIS Lead Information Governance in consultation with the S&SHIS

Head of Technology will be responsible for Acceptance Testing, prior to the formal acceptance of a proposed network solution.

5.15.5 Where appropriate and available, testing facilities will be used for all new network

systems. Development and operational facilities will be separated. 5.16 System Configuration Management 5.16.1 An effective change control process will be implemented to manage alterations to

network configuration. 5.17 Security Monitoring

5.17.1 When appropriate, the network will be monitored for potential security breaches. The monitoring of network activity will comply with the Data Protection Act 1998.

5.18 Reporting Security Incidents

5.18.1 Minor security incidents resulting in local network issues will be reported to the

HIS Service Desk in accordance with the requirements of the Trust’s IT Incident Reporting Procedure.

5.18.2 Major security incidents, defined as anything that denies access to service or any

incidents of major loss of data or unauthorised access to IT facilities or information through breaching the terms of this document or the guidance in The Acceptable Use of Information and IT Systems SOP, will be reported to the Trust Risk Management Department in accordance with the requirements of the Trust’s Policy on Reporting and Managing Adverse Events.

5.18.3 Security incidents involving criminal intent will be reported to the relevant

line manager and escalated to the Trust’s Information Governance Lead and Human Resources. All such security incidents will be investigated in accordance with the NHSIA guidelines and strict disciplinary measures will be taken where such intent is proven.

5.19 Risk Assessment 5.19.1 Risk assessments will be managed by the Trust and conducted by Internal Audit

to ensure that the network is adequately protected. Agreed recommendations will be implemented by Staffordshire and Shropshire Health Informatics Services, and funded by the Trust.

5.20 Business Continuity & Disaster Recovery Plans

5.20.1 Business continuity and disaster recovery plans will be developed for the Trust’s

Local Area Network. 5.20.2 The Trust will develop Business Continuity Plans for all business critical IT

systems.


Page 11 of 14

5.20.3 The HIS will develop appropriate Disaster Recovery plans to meet the requirements of the Trust’s BCP.

5.20.4 The Trust’s Information Governance Assurance Group will ensure that the plans

are of appropriate quality and meet the requirements of the Trust.

5.21 Unattended Equipment and Clear Screen 5.21.1 Trust staff who access the network will ensure that the network is protected from

unauthorised access. 5.21.2 Trust staff will ensure that any unattended equipment logged on to the network is

protected. • Workstations will be locked requiring reactivation by password if the device is not used for more than 5 minutes.

• Trust staff will be expected to follow the guideline in the Trust Acceptable Use of IT Policy.

6. Security Responsibilities

6.1 S&SHIS Lead Information Governance

6.1.1 Ensuring that the Trust’s network is configured to meet the requirements of the

Network Security Policy, ISO 17799 and HSCIC’s Good Practice Guidelines. 6.1.2 Producing and implementing effective security countermeasures. 6.1.3 Providing technical support during security incidents. 6.2 Trust Information Governance Lead Responsibilities

6.2.1 Acting as a central point of contact on information security within the

organisation, for both staff and external organisations. 6.2.2 Implementing an effective framework for the management of security. 6.2.3 Assisting in the formulation of Information Security Policy and related procedures. 6.2.4 Produce organisational standards, procedures and guidance on Information

Security matters for approval by the Information Governance Assurance Group. 6.2.5 Co-ordinate information security activities particularly those related to

shared information systems or IT infrastructures. 6.2.6 Liaise with external organisations on information security matters,

including representing the organisation at cross-community committees. 6.2.7 Ensuring that appropriate Data Protection Act notifications are maintained

for information stored on the network. 6.2.8 Dealing with enquires, from any source, in relation to the Data Protection Act

and facilitating Subject Access Requests.

6.2.9 Advising users of information systems, applications and networks of their responsibilities under the Data Protection Act, including Subject Access.


Page 12 of 14

6.2.10 Advising the S&SHIS Lead Information Governance on security breaches of the Act and recommended actions.

6.2.11 Encouraging, monitoring and checking compliance with the Data Protection Act.

6.2.12 Liaising with external organisations regarding Data Protection Act matters.

6.2.13 Promoting awareness and providing guidance and advice related to the Data Protection Act as it applies within the Trust.

6.3 S&SHIS Lead Information Governance Responsibilities

6.3.1 Advising the Trust’s Information Security lead on matters relating to IT security.

6.3.2 Creating, maintaining, giving guidance on and overseeing the implementation of IT Security.

6.3.3 Representing the organisation on internal and external committees that relate to IT security.

6.3.4 Ensuring that risks to IT systems are reduced to an acceptable level by applying security countermeasures identified following an assessment of the risk.

6.3.5 Ensuring the systems, application and/or development of required policy standards and procedures in accordance with needs, policy and guidance set centrally by the Information Security Manager.

6.3.6 Ensuring that access to the organisation's network is limited to those who have the necessary authority and clearance.

6.3.7 Providing advice and guidance to development teams to ensure that the policy is complied with.

6.3.8 Approving system security policies for the infrastructure and common services.

6.3.9 Advising the Trust’s Information Governance Lead on the accreditation of IT systems, applications and networks.

6.3.10 Providing a central point of contact on IT security issues.

6.3.11 Providing advice and guidance on:

• Policy Compliance • Incident Investigation • IT Security Awareness • IT Security Training • IT Systems Accreditation • Security of External Service Provision • Contingency Planning for IT system


Page 13 of 14

6.3.12 Contacting the Trust’s Information Governance Lead Officer when: • Incidents or alerts have been reported that may affect the organisation's systems, applications or networks.

• Proposals have been made to connect the organisation's systems, applications or networks to systems, applications or networks that are operated by external organisations.

• Relaying the advice of external sources/authorities on IT security matters. 6.4 Trust Management Responsibilities 6.4.1 Ensuring the security of the network, that is information, hardware and

software used by staff and, where appropriate, by third parties is consistent with legal and management requirements and obligations.

6.4.2 Ensuring that staff are made aware of their security responsibilities. 6.4.3 Ensuring that staff have had suitable security training. 6.5 Trust Staff Responsibilities 6.5.1 All personnel or agents acting for the organisation have a duty to: • Safeguard hardware, software and information in their possession.

• Prevent the introduction of malicious software on the organisation's IT systems.

• Report on any suspected or actual breaches in security. 6.5.2 The Trust will ensure that all users of the network are provided with the

necessary security guidance, awareness and where appropriate training to discharge their security responsibilities.

6.5.3 Irresponsible or improper actions by users within South Staffordshire and

Shropshire Healthcare NHS Foundation Trust may result in disciplinary action. See the Acceptable Use of IT Policy.

7. Process For Monitoring Compliance And Effectiveness

7.1 The Trust will comply with all national NHS information security and information security management standards and guidelines.

7.2 This policy will be reviewed in line with the Authorised Documents Policy or earlier

in light of new national guidance or other significant change in circumstances.

7.3 Compliance with this policy will be monitored through the mechanisms detailed in

the table below. The audit and review findings will be reviewed in line with the requirements of the Information Governance Toolkit assessment. Where compliance is deemed to be insufficient and the assurance provided is limited, then remedial actions will be drawn together through an action plan. This progress against the action plan will be monitored at the specified committee/group.

7.4 To meet legal and regulatory requirements, the Trust will:

• Educate employees on the policy and how to use computer systems responsibly.

• Enforce the Acceptable Use Policy


Page 14 of 14

Aspect of compliance or effectiveness being monitored

Monitoring method

Individual or department responsible for the monitoring

Frequency of the monitoring activity

Group/committee/ forum which will receive the findings/monitoring report

Committee/ individual responsible for ensuring that the actions are completed

Process for monitoring and auditing application of acceptable use arrangements

Audit/Review Information Governance Assurance Group

Annual Information Governance Assurance Group

Finance and Performance

Process for validating staff use and awareness of the policy

Audit/Review Information Governance Training compliance

Information Governance Assurance Group



Assessment against requirements of the Information Governance Toolkit

Audit/Review Information Governance Assurance Group



8. References

BS ISO/IEC 17799:2005: http://www.iso.org/iso/catalogue_detail?csnumber=39612

BS ISO/IEC 27001:2013: http://www.iso.org/iso/catalogue_detail?csnumber=54534

http://www.iso.org/iso/catalogue_detail?csnumber=39612

http://www.iso.org/iso/catalogue_detail?csnumber=54534

Date post:	03-Mar-2019
Category:	Documents
Upload:	hoangdat
View:	221 times
Download:	0 times